Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer.
The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesnt apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month's Update Tuesday.
Both Microsoft and the researchers from Check Point, the security firm that discovered the vulnerability, said that its wormable, meaning it can spread from computer to computer in a way thats akin to falling dominoes. With no user interaction required, computer worms have the potential to propagate rapidly just by virtue of being connected and without requiring end users to do anything at all.
When a worms underlying vulnerability easily allows malicious code to be executed, exploits can be especially pernicious, as was the case with both the WannaCry and NotPetya attacks from 2016 that shut down networks worldwide and caused billions of dollars in damage.
Check Point researchers said that the effort required to exploit SigRed was well within the means of skilled hackers. While theres no evidence that the vulnerability is actively under exploit at the moment, Check Point said thats likely to change, and if it does, the destructive effects would be high.
In a technical analysis, Sagi Tzadik, the company researcher who found the vulnerability in May and privately reported it to Microsoft, wrote:
We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.
In a brief writeup here, Microsoft analysts agreed the underlying heap-based buffer overflow was wormable. The company also rated the chances of exploitation as “more likely”. Many outside researchers concurred.
“If Ive understood the article correctly, calling it wormable is actually an understatement,” VesseRead More – Source
[contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]